atcomsystems.ca/forum
Posted By: WiringSolutions IES16 Toll Fraud - 03/26/18 05:21 PM
Hello All,

Customer had their provider shut down LD services after a suspicious call and I am trying to figure out how they were able to transfer the call.

I'm not seeing any new or modified mailboxes with extensions dialing out. The only thing I noticed was a couple of mailboxes with @G(xxx) in the extension field.

I have put the VM ports in a COS with Tandem connections disabled but I still need to find out what they actually did.

Any other ideas would be appreciated.
Posted By: WiringSolutions Re: IES16 Toll Fraud - 03/26/18 05:57 PM
Update: Apparently the customer already deleted 5 mailboxes
Posted By: newtecky Re: IES16 Toll Fraud - 03/26/18 11:38 PM
Hopefully the customer didn't delete anything important.

I wouldn't worry about the @G(XXX) mailboxes. These will only transfer to another mailbox. Those would likely have been setup by a real Toshiba tech.

In every case I have seen the hacked mailbox will have an extension field that starts with 9. It could be 901, or something else that lets the hacker get an outside line. Sometimes they create a new mailbox, and other times they modify an existing mailbox.

Disabling Tandem CO is a good step. That should prevent them from being able to transfer offsite.

I also add Destination Restrictions to the voicemail port, and change the default admin mailbox password.

Check to see when the last time someone logged into the admin mailbox. If the customer is using the ES admin software then it is likely that the last person to log in was the hackers.

© Sundance Phone System Forums - VOIP & Cloud Phone Help